Only six months after the Strava breach reveal, new research is showing that another fitness app is also compromising user data. This time it’s Polar.
Dutch news website De Correspondent and open source investigative site Bellingcat have discovered just how dead simple it can be to track down the names and addresses of over 6,460 users of Polar’s Polar Flow app, including thousands of soldiers and secret agents.
In their drills, the investigators were able to find names and addresses of personnel at intelligence agencies including the NSA and Secret Service in the US, the GCHQ and MI6 in the UK, the GRU and the SVR RF in Russia, the DGSE in France, and the MIVD in the Netherlands. They were also able to find the same data for personnel at military bases including Guantánamo Bay in Cuba and Erbil in Iraq, and bases in Afghanistan, Saudi Arabia, Qatar, and South Korea, as well as for personnel at nuclear storage facilities, maximum security prisons, drone bases, and military airports that housed nuclear weapons.
The worst part is that digging up this info did not require any hacking or technical know-how. All it took was a Polar account and a basic understanding of computers.
The process was alarming simple. Polar provides an online map to all its users; the map displays every run, bike ride, and swim its users have logged since 2014. Here’s how they found the addresses of users:
- Zooming into an area revealed icons that mark where users have exercised
- Clicking on an icon reveals details about a user’s workout, including his username
- Zooming out after clicking on the icon will reveal that specific user’s activities.
- Those activities typically form a pattern which can be used to deduce information – looking at running routes can often reveal the user’s house for instance
So by simply zooming in on a sensitive facility, one might be able to gather data military personnel that operate in it.
Not Polar’s Fault
By default, the Polar app sharing settings are set to private. Unfortunately, however, some users do not take their security seriously. According to Polar, 2% of its users share workouts on the activity map.
After the news broke, Polar took its map offline. Dutch authorities said that they will be working on a plan that prohibits the use of fitness apps for “specific employees under specific circumstances.”